Macos Remote System Discovery
Detects the enumeration of other remote systems.
Sigma rule (View on GitHub)
1title: Macos Remote System Discovery
2id: 10227522-8429-47e6-a301-f2b2d014e7ad
3status: test
4description: Detects the enumeration of other remote systems.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
7author: Alejandro Ortuno, oscd.community
8date: 2020-10-22
9modified: 2021-11-27
10tags:
11 - attack.discovery
12 - attack.t1018
13logsource:
14 category: process_creation
15 product: macos
16detection:
17 selection_1:
18 Image|endswith: '/arp'
19 CommandLine|contains: '-a'
20 selection_2:
21 Image|endswith: '/ping'
22 CommandLine|contains:
23 - ' 10.' # 10.0.0.0/8
24 - ' 192.168.' # 192.168.0.0/16
25 - ' 172.16.' # 172.16.0.0/12
26 - ' 172.17.'
27 - ' 172.18.'
28 - ' 172.19.'
29 - ' 172.20.'
30 - ' 172.21.'
31 - ' 172.22.'
32 - ' 172.23.'
33 - ' 172.24.'
34 - ' 172.25.'
35 - ' 172.26.'
36 - ' 172.27.'
37 - ' 172.28.'
38 - ' 172.29.'
39 - ' 172.30.'
40 - ' 172.31.'
41 - ' 127.' # 127.0.0.0/8
42 - ' 169.254.' # 169.254.0.0/16
43 condition: 1 of selection*
44falsepositives:
45 - Legitimate administration activities
46level: informational
References
Related rules
- Active Directory Computers Enumeration With Get-AdComputer
- Cisco Discovery
- DirectorySearcher Powershell Exploitation
- Linux Remote System Discovery
- Nltest.EXE Execution